Clyde & Co has shared its insights on key findings from six data breach investigations conducted by the Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong.
It identified recurring security failures and offers recommendations for mitigating risks amid the rising prevalence of cyberattacks.
The six incidents investigated by the PCPD in 2024 revealed significant shortcomings in cybersecurity measures among affected organisations, including Hong Kong Cyberport, the Consumer Council, and Hong Kong Ballet Limited. Clyde & Co’s analysis highlighted several recurring issues.
Clyde & Co noted that a lack of detailed IT security policies left organisations exposed. Cyberport’s 41-page security policy, for instance, lacked specific provisions for virus protection. Similarly, the South China Athletic Association (SCAA) did not have a password policy to ensure strong access controls, leaving systems vulnerable to breaches.
The firm emphasised that the failure to enable multi-factor authentication (MFA) on administrative accounts played a role in several incidents. Organisations such as Cyberport and the Consumer Council failed to implement this basic security measure, making it easier for attackers to gain unauthorised access.
Clyde & Co identified infrequent or insufficient IT security audits as another critical weakness. For example, the Council of Hong Kong Laureate Forum did not conduct regular audits, allowing unpatched vulnerabilities to persist and be exploited by attackers.
The risks associated with third-party service providers were evident in cases involving the Hong Kong Ballet and the Electrical and Mechanical Services Department (EMSD). Both organisations experienced breaches due to poor monitoring of contractors’ compliance with data security obligations.
Improper data retention practices were a recurring issue. Cyberport stored personal information for over 5,000 individuals beyond necessary periods, amplifying the impact of the breach. A similar problem was identified in the EMSD case, where contractors failed to delete outdated data.
To address these vulnerabilities, Clyde & Co recommended that organisations adopt the following measures:
Clyde & Co’s analysis situates these findings within the broader context of Hong Kong’s voluntary data breach notification framework. Although mandatory breach reporting has been proposed under potential amendments to the Personal Data (Privacy) Ordinance (PDPO), no such requirement currently exists, leaving gaps in accountability.
The firm stressed the need for businesses to take a proactive approach as cyber threats grow increasingly sophisticated. With ransomware attacks accounting for the majority of investigated breaches in 2024, Clyde & Co underscored the importance of bolstering internal security measures, monitoring third-party compliance, and cultivating awareness across all levels of an organisation.
Clyde & Co concluded that organisations must prioritise cybersecurity resilience to protect their operations and reputation.
By addressing common vulnerabilities, implementing recommended practices, and considering risk transfer mechanisms such as cyber insurance, businesses can better position themselves to manage the evolving threat landscape.
